onnxruntime-web
A Javascript library for running ONNX models on browsers
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | net-exec-file:dist/cjs/ort.all.min.js | AI (source-diff): Standard esbuild/rollup bundle output for ONNX Runtime Web. Network calls are WASM loading; dynamic execution is module initialization. Not malicious. | ai | |
| source-diff | net-exec-file:dist/esm/ort.min.js | AI (source-diff): Standard esbuild/rollup bundle output for ONNX Runtime Web. Network calls are WASM loading; dynamic execution is module initialization. Not malicious. | ai | |
| source-diff | net-exec-file:dist/cjs/ort.min.js | AI (source-diff): Standard esbuild/rollup bundle output for ONNX Runtime Web. Network calls are WASM loading; dynamic execution is module initialization. Not malicious. | ai | |
| source-diff | net-exec-file:dist/esm/ort.all.min.js | AI (source-diff): Standard esbuild/rollup bundle output for ONNX Runtime Web. Network calls are WASM loading; dynamic execution is module initialization. Not malicious. | ai | |
| source-diff | net-exec-file:dist/esm/ort.webgl.min.js | AI (source-diff): Standard esbuild/rollup bundle output for ONNX Runtime Web. Network calls are WASM loading; dynamic execution is module initialization. Not malicious. | ai | |
| source-diff | net-exec-file:dist/cjs/ort.webgl.min.js | AI (source-diff): Standard esbuild/rollup bundle output for ONNX Runtime Web. Network calls are WASM loading; dynamic execution is module initialization. Not malicious. | ai | |
| source-diff | net-exec-file:dist/ort.webgpu.min.js | AI (source-diff): Standard webpack-bundled ML inference library; network calls load WASM/model files and code execution runs ONNX inference. Not dropper behavior. Stable for this package. | ai | |
| source-diff | obfuscated-file:dist/ort-wasm-simd-threaded.jsep.js | AI (source-diff): Emscripten-compiled WASM glue file with Microsoft copyright header; long lines are standard Emscripten output, not obfuscation. Stable pattern for this package. | ai | |
| provenance | publisher-changed | AI (provenance): New publisher 'eire' matches the package's declared author 'fs-eire'; legitimate maintainer transition for this Microsoft ONNX Runtime package. Publisher has 24 approved packages and 1166 days of history. | ai | |
| source-diff | obfuscated-file:dist/ort.webgl.mjs | AI (source-diff): Minified build artifact for onnxruntime-web WebGL backend; long lines are expected in bundled ML runtime output. | ai | |
| source-diff | net-exec-file:dist/ort.all.bundle.min.mjs | AI (source-diff): Standard minified ML runtime bundle; network calls fetch WASM/model data, dynamic code is module loading boilerplate. Expected for onnxruntime-web build artifacts. | ai | |
| source-diff | net-exec-file:dist/ort.all.min.mjs | AI (source-diff): Standard minified ML runtime bundle; network calls fetch WASM/model data, dynamic code is module loading boilerplate. Expected for onnxruntime-web build artifacts. | ai | |
| source-diff | obfuscated-file:dist/ort.all.mjs | AI (source-diff): Minified build artifact for onnxruntime-web; long lines are expected in bundled ML runtime output, not obfuscation. | ai | |
| source-diff | net-exec-file:dist/ort.all.mjs | AI (source-diff): Standard ML runtime bundle; network/dynamic patterns are expected for WASM loading and module interop. | ai | |
| source-diff | net-exec-file:dist/ort.bundle.min.mjs | AI (source-diff): Standard minified ML runtime bundle; network/dynamic patterns are expected for WASM loading and module interop. | ai | |
| source-diff | net-exec-file:dist/ort.min.mjs | AI (source-diff): Standard minified ML runtime bundle; network/dynamic patterns are expected for WASM loading and module interop. | ai | |
| source-diff | obfuscated-file:dist/ort.mjs | AI (source-diff): Minified build artifact for onnxruntime-web; long lines are expected in bundled ML runtime output, not obfuscation. | ai | |
| source-diff | net-exec-file:dist/ort.mjs | AI (source-diff): Standard ML runtime bundle; network/dynamic patterns are expected for WASM loading and module interop. | ai | |
| source-diff | obfuscated-file:dist/ort.wasm.mjs | AI (source-diff): Minified build artifact for onnxruntime-web WASM backend; long lines are expected in bundled ML runtime output. | ai | |
| source-diff | net-exec-file:dist/ort.webgl.min.mjs | AI (source-diff): Standard minified WebGL backend bundle; network/dynamic patterns are expected for WASM loading and module interop. | ai | |
| source-diff | net-exec-file:dist/ort.webgl.mjs | AI (source-diff): Standard ML runtime bundle for WebGL backend; network/dynamic patterns are expected for WASM loading and module interop. | ai | |
| source-diff | net-exec-file:dist/ort.webgpu.bundle.min.mjs | AI (source-diff): Standard minified WebGPU backend bundle; network/dynamic patterns are expected for WASM loading and module interop. | ai | |
| source-diff | obfuscated-file:dist/ort.webgpu.mjs | AI (source-diff): Minified build artifact for onnxruntime-web WebGPU backend; long lines are expected in bundled ML runtime output. | ai | |
| source-diff | net-exec-file:dist/ort-wasm-simd-threaded.jspi.mjs | AI (source-diff): Legitimate WASM module loader for JSPI backend; network calls load WASM artifacts, not malicious payloads. | ai | |
| source-diff | net-exec-file:dist/ort.jspi.bundle.min.mjs | AI (source-diff): Bundled WASM loader; network calls are for legitimate WASM module initialization, not malware. | ai | |
| source-diff | obfuscated-file:dist/ort.jspi.mjs | AI (source-diff): Minified ES module distribution; standard build artifact for ONNX Runtime Web library. | ai | |
| source-diff | net-exec-file:dist/ort-wasm-simd-threaded.jsep.mjs | AI (source-diff): WASM module initialization code with legitimate async/worker patterns; not malware. | ai | |
| source-diff | net-exec-file:dist/ort-wasm-simd-threaded.asyncify.mjs | AI (source-diff): File is Emscripten-generated WASM runtime code; network+exec pattern is expected for module loading and initialization, not malware. | ai | |
| source-diff | obfuscated-file:dist/ort.all.js | AI (source-diff): Minified JS bundle from Microsoft's ONNX Runtime Web build pipeline. Long lines are standard minification output, not obfuscation for malicious purposes. | ai | |
| source-diff | obfuscated-file:dist/ort.wasm.js | AI (source-diff): Minified build artifact; standard for web libraries. | ai | |
| dependencies | unvetted-dep:protobufjs | AI (dependencies): protobufjs is a standard serialization library; legitimate for ONNX model handling. | ai | |
| source-diff | obfuscated-file:dist/ort.jspi.js | AI (source-diff): Minified JavaScript distribution from esbuild/TypeScript compiler; standard for web library builds. Copyright header confirms Microsoft authorship. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): protobufjs is a legitimate, established library; normal refactoring from onnx-proto. | ai | |
| source-diff | net-exec-file:dist/ort.all.js | AI (source-diff): Unminified bundle variant of ONNX Runtime Web. Network+exec pattern is legitimate WASM loading and module initialization. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): erscor_msft is a Microsoft employee added to a Microsoft-owned package; expected organizational change. | ai | |
| source-diff | net-exec-file:dist/ort.all.min.js | AI (source-diff): Minified bundle variant of ONNX Runtime Web. Network+exec pattern is legitimate WASM loading and module initialization. | ai | |
| source-diff | net-exec-file:dist/ort.webgl.js | AI (source-diff): Dynamic require patterns in bundled code are normal CommonJS/ESM interop. | ai | |
| source-diff | obfuscated-file:dist/ort.webgl.js | AI (source-diff): Minified build artifact; standard for web libraries. | ai | |
| source-diff | large-new-source-files | AI (source-diff): 184 new files are expected for major version bump with build system refactor; no injection indicators. | ai | |
| source-diff | obfuscated-file:dist/ort.webgpu.js | AI (source-diff): Minified build artifact; standard for web libraries. | ai | |
| provenance | no-provenance | AI (provenance): onnxruntime-web is a well-established Microsoft package with 363 versions and a clear GitHub repo. Lack of Sigstore provenance is not a meaningful risk signal here. | ai | |
| phantom-deps | phantom-dep:platform | AI (phantom-deps): platform is a utility library referenced in config; common pattern in build tools. | ai |
Versions (showing 29 of 29)
| Version | Deps | Published |
|---|---|---|
| 1.26.0 | 6 / 29 | |
| 1.25.1 | 6 / 29 | |
| 1.24.3 | 6 / 29 | |
| 1.24.2 | 6 / 29 | |
| 1.24.1 | 6 / 29 | |
| 1.23.2 | 6 / 29 | |
| 1.23.0 | 6 / 29 | |
| 1.22.0 | 6 / 29 | |
| 1.21.1 | 6 / 29 | |
| 1.21.0 | 6 / 29 | |
| 1.20.1 | 6 / 30 | |
| 1.20.0 | 6 / 30 | |
| 1.19.2 | 6 / 29 | |
| 1.19.0 | 6 / 29 | |
| 1.18.0 | 6 / 28 | |
| 1.17.3 | 6 / 28 | |
| 1.17.1 | 6 / 28 | |
| 1.17.0 | 6 / 28 | |
| 1.16.3 | 6 / 28 | |
| 1.16.2 | 6 / 28 | |
| 1.16.1 | 6 / 28 | |
| 1.16.0 | 6 / 28 | |
| 1.14.0 | 6 / 44 | |
| 1.12.1 | 6 / 44 | |
| 1.12.0 | 6 / 44 | |
| 1.11.0 | 6 / 44 | |
| 1.10.0 | 6 / 44 | |
| 1.9.0 | 6 / 40 | |
| 1.8.0 | 6 / 38 |
v1.26.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.25.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.24.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.24.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.24.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.23.2
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-11-04. This could indicate a legitimate maintainer transition or an account compromise.
v1.23.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-09-26. This could indicate a legitimate maintainer transition or an account compromise.
v1.22.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.21.1
2 findingsThis version was published by a different npm account than previous versions on 2025-04-21. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.21.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.20.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.20.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.19.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.19.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.18.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.17.3
7 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.17.1
7 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.17.0
7 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.16.3
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.16.2
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.16.1
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.16.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.14.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.12.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.12.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.11.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.10.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.9.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.8.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.